XF 2.3 Errors when trying to send email via SMTP using Brevo (formerly Sendinblue)

[Peretz]

Since around the time we upgraded our forums from 2.3.3 to 2.3.4, sending email via SMTP using Brevo (formerly Sendinblue) stopped working. I investigated the issue today, updated the settings with the new Brevo domain name and values, and get the following error when "Use SSL/TLS" is checked in the XenForo Email Options control panel:

Email to REDACTED from REDACTED failed: Connection could not be established with host "ssl://smtp-relay.brevo.com:587": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:0A00010B:SSL routines::wrong version number

If I uncheck the "Use SSL/TLS" box and try sending again, I get this error:

Email to REDACTED from REDACTED failed: Unable to connect with STARTTLS: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:16000069:STORE routines::unregistered scheme error:80000002:system library::No such file or directory error:16000069:STORE routines::unregistered scheme error:80000002:system library::No such file or directory error:16000069:STORE routines::unregistered scheme error:80000002:system library::No such file or directory error:0A000086:SSL routines::certificate verify failed

I've confirmed the settings (server, port, login, and password) are correct. I've read through several threads and the fixes are either not relevant to our configuration or they don't work.

EDIT: Our server is running OpenSSL 3.0.13.

Could anyone please advise on these issues?

 

[Sim]

Have you tried checking the "Use SSL/TLS" button and setting the port to 465?

https://help.brevo.com/hc/en-us/articles/10905415650322-Which-SMTP-port-should-I-use-Port-587-465-or-2525

I don't use Brevo, so I don't know what actually works.

 

[Peretz]

Have you tried checking the "Use SSL/TLS" button and setting the port to 465?

https://help.brevo.com/hc/en-us/articles/10905415650322-Which-SMTP-port-should-I-use-Port-587-465-or-2525

I don't use Brevo, so I don't know what actually works.

I tried port 465 with "Use SSL/TLS" checked and got this error:

Email to REDACTED from REDACTED failed: Connection could not be established with host "ssl://smtp-relay.brevo.com:465": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:16000069:STORE routines::unregistered scheme error:80000002:system library::No such file or directory error:16000069:STORE routines::unregistered scheme error:80000002:system library::No such file or directory error:16000069:STORE routines::unregistered scheme error:80000002:system library::No such file or directory error:0A000086:SSL routines::certificate verify failed

 

[MentaL]

Amazon SES is cheaper, btw. When they rebranded and upped the prices, bye.

 

[Sim]

How about port 465 with "Use SSL/TLS" unchecked?

 

[Chromaniac]

I definitely got Brevo to work with SSL on 2.3 when I checked it out during beta releases...

XF 2.3 Post in thread 'Anyone here got ZeptoMail or Brevo working with Xenforo 2.3 Betas?'

Jun 21, 2024

So, Brevo also works over SSL. Has a 300 mail per day limit on free accounts which is pretty nice for a small forum. The only problem is that they add a tracking pixel in all mails. This option seems to be mandatory on most accounts. I would be sticking to ZeptoMail for the time being. Easier to monitor bounced emails and block them. It's not free but their pricing is very reasonable here in India. Around Rs. 177 for 10,000 mails. Amazon SES is cheaper but they do not let me prepay for a couple of months in one go so I end up paying 20-30 rupees per month which gets annoying.

• Chromaniac

Too bad I would have to reverify domain to test what settings worked for me. I do not seem to have them in my notes.

 

[Peretz]

Amazon SES is cheaper, btw. When they rebranded and upped the prices, bye.

We're currently using the free plan on Brevo because we only use outbound email for forum registration verification emails and our host (understandably) doesn't want to enable email services on our server.

How about port 465 with "Use SSL/TLS" unchecked?

That configuration gives me this error:

Email to REDACTED from REDACTED failed: Connection to "smtp-relay.brevo.com:465" has been closed unexpectedly.

 

[Peretz]

I discovered another problem with AWS: We can't pay using PayPal. Our community is 100% funded by donations and we keep our expenses as low as possible, so we don't have or need (or want) a bank account or debit/credit card. AWS doesn't accept PayPal.

 

[Peretz]

I tried a different service (SMTP2GO) and got the following error with their default port (2525) and "Use SSL/TLS" checked:

Email to REDACTED from REDACTED failed: Connection could not be established with host "ssl://mail.smtp2go.com:2525": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:0A00010B:SSL routines::wrong version number

I'm starting to think I'll need to ask my host to make a change to the server configuration, but I'm not sure what to ask for.

 

[Peretz]

Same error when trying to use Mailgun.

Email to REDACTED from REDACTED failed: Connection could not be established with host "ssl://smtp.mailgun.org:587": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:0A00010B:SSL routines::wrong version number

I spoke with my host and he said he has SMTP relays working for WordPress. I checked the PHP info page and confirmed that HTTPS is turned on and OpenSSL support is enabled. Are there other settings I should be checking?

 

[ENF]

I ran these two commands to test the connection from my own server:
(testing that communication is open and possible)

openssl s_client -connect mail.smtp2go.com:2525
openssl s_client -connect smtp.mailgun.org:587

openssl s_client -connect mail.smtp2go.com:2525
CONNECTED(00000003)
139835144914832:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1740553976
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
[enf88a@ruby]# openssl s_client -connect smtp.mailgun.org:587
CONNECTED(00000003)
140281627654032:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1740554062
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
[enf88a@ruby]#

If you try those commands, do you get the same result?

 

[ENF]

And just for good measure, you may want to check your ca-certificates -- If memory serves me correctly, an out of date version can also cause similar errors.

 

[Peretz]

I ran these two commands to test the connection from my own server:
(testing that communication is open and possible)

openssl s_client -connect mail.smtp2go.com:2525
openssl s_client -connect smtp.mailgun.org:587

[...]

If you try those commands, do you get the same result?

I asked my contact at our hosting company to run the commands and these were the results:

openssl s_client -connect mail.smtp2go.com:2525
CONNECTED(00000003)
4087907CB5730000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 318 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

openssl s_client -connect smtp.mailgun.org:587
CONNECTED(00000003)
40174BD64A7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 318 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

 

[ENF]

I asked my contact at our hosting company to run the commands and these were the results:

Then, I would try to update your ca-certificates. You're getting the same version error on both attempts.

 

[hescominsoon]

Same error when trying to use Mailgun.

I spoke with my host and he said he has SMTP relays working for WordPress. I checked the PHP info page and confirmed that HTTPS is turned on and OpenSSL support is enabled. Are there other settings I should be checking?

so the server in question i do not run an smtp server at all and do not provide email services. The xenforo instance is the only non wordpress account and most of them use smtptogo without issue in wordpress. so i am curious what xenforo or this mail plugin is doing that is so different?

 

[hescominsoon]

Then, I would try to update your ca-certificates. You're getting the same version error on both attempts.

his certificates are gtg done every 90 days through LE...

 

[ENF]

his certificates are gtg done every 90 days through LE...

That would be incorrect. This is not the SSL for the site, this is the ca-certificates package installed on Linux systems. If this package is out of date, you will get OpenSSL errors like the ones noted above. (Example)

 

[hescominsoon]

That would be incorrect. This is not the SSL for the site, this is the ca-certificates package installed on Linux systems. If this package is out of date, you will get OpenSSL errors like the ones noted above. (Example)

if ca certificates was broken the other 65 sites would quit working as all of the sites use CA-certs to get their certs through let's encrpyt. it's only the xenforo site having issues..all of the other sites(which are wordpress) work just fine using smtp2go, mailgun, among others.

 

[ENF]

if ca certificates was broken the other 65 sites would quit working as all of the sites use CA-certs to get their certs through let's encrpyt. it's only the xenforo site having issues..all of the other sites(which are wordpress) work just fine using smtp2go, mailgun, among others.

That's all fine and good, but how do you explain:

openssl s_client -connect smtp.mailgun.org:587<br>CONNECTED(00000003)<br>40174BD64A7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:

....which has nothing to do with XenForo?

 

[hescominsoon]

That's all fine and good, but how do you explain:

openssl s_client -connect smtp.mailgun.org:587<br>CONNECTED(00000003)<br>40174BD64A7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:

....which has nothing to do with XenForo?

mailgun on several other accounts inside of wordpress works fine. this is an ubuntu lts server and if mailgun only checks by raw version number..that's not my issue...which happens with lts versions. honestly, it's only one account having an issue with a xenforo plugin..all of the rest of the accounts using smtp2go, mailgun, among others works fine..including all of the website certificates. As far as I am concerned, this is a xenforo issue and not a server issue...